Archive for the ‘Oracle Access Manager’ Category

Oracle Access Manager (OAM) 11g Auditing Tips

Monday, January 30th, 2012

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Let’s say you want to enable auditing with Oracle Access Manager 11g so you can see successful (and failed) authentication and authorization events. You will commonly see documentation telling you to simply change the Audit Policy settings for your Weblogic domain in Enterprise Manager (see below) to enable OAM auditing.

Oracle Enterprise Manager - Audit Policy

There’s actually an additional step that you will need to take to full enable the auditing. Login to the OAM Console and navigate to the System Configuration tab. Choose Common Settings, and under Audit Configuration (see below) you will see an option to enable a Filter. Note that the Filter Preset option defaults to Low, so you’ll need to change it to All to see authentication and authorization events. One more important thing to do is remove any users from the list, otherwise you will only capture events for those users listed.

OAM Console - Audit Configuration

Note that you’ll have to restart after you make the changed in Enterprise Manager. After the restart, you will find audit events in the IAU_BASE table, and the BI Publisher OAM reports. Remember, you can find the OAM reports in <Oracle_Home>/oam/server/reports/oam_audit_reports_11_1_1_3_0.zip.

Questions, comments or concerns? Feel free to reach out to us at IDMWorks.

Tags: , , , , ,
Posted in Access Management, Oracle, Oracle Access Manager, Tips & Tricks | No Comments »

Oracle Identity &Access Manager 11g for Administrators (Packt Publishing)

Tuesday, October 11th, 2011

Our Oracle Practice Lead, Jom John, has recently been a technical reviewer for Packt Publishing’s “Oracle Identity and Access Manager 11g for Administrators“.

The book is a solid tool to add to your IAM toolkit for those with the role requiring the ability to administer Oracle Identity Management (OIM & OAM) including installation, configuration, and day-to-day tasks or for those simply looking to learn the Oracle IAM stack and need a starting point.  Beginner or Advanced alike might want to pick this book up.

There aren’t a lot of great resources on this subject so when one comes out and it happens to be a product one of our team has worked on then we can endorse it highly.

Looking to have Jom or our Oracle team involved in your Oracle IAM project, feel free to reach out to us at IDMWorks!

And feel free to ask any questions below and we will make Jom answer them :)

Tags: , , ,
Posted in IDMWorks, Oracle, Oracle Access Manager, Oracle Identity Manager | No Comments »

Setting up Oracle Identity and Access Management Suite (11g) in the Cloud: A few things that work & don’t work

Wednesday, March 2nd, 2011

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

The Oracle IAM 11g suite consists of several different products,  Identity Federation, Identity Manager, Internet Directory, and Access Manager, to name a few.  All of the products, rather most of the products, have the same basic requirements…database, RCU, WebLogic, and IDM  that must be installed.   Because of the nature of the Amazon EC2 Cloud there are a few things to keep in mind when building these components in the Cloud and a few things to do before starting your applications.  Please note this is all MS Windows centric.

Install order…

You can install the database or WebLogic first, it really doesn’t matter, but I typically will use the following order as it provides a good restore point:

FIRST:

  1. Database (software) install
  2. WebLogic 10.3.4 install
  3. IDM (software only install)

Back EVERYTHING Up

THEN:

  1. Install the listener
  2. Create database
  3. Run RCU
  4. Install SOA (only if needed)
  5. Configure IDM

When Installing the Database:

  1. A few things to do when installing the database (Cloud or not) is to set some environment variables in Windows, (this isn’t necessarily required with 11g as with older installs but can still be a time saver).   Regarding the Cloud, setting the ORACLE_HOSTNAME=”permanent name of machine”, is very helpful as both the listener and the dbconsole have real trouble starting after a reboot with changing names.  This will allow the database as a service in Windows successfully thus making it easier to remember what to type into the IDM RCU setup and IDM configuration setup.
  2. When creating the database set open cursors to 500, session cached cursors to 100, and processes to 500.  This can be done in the DBCA when creating the database by pressing the “All Initialization Parameters” button on the Configure Options screen (where you configure both the memory and character set.)

When Installing WebLogic:

Make sure you use the generic jar file with any 64 bit install.

  1. Install Java if needed and from a command prompt go to the directory where the jar file is located and type: ” java –jar wls1034_generic.jar” (or whatever the name of the jar is).

When Installing the Oracle IAM Suite:

Once the suite is configured for your application and the WebLogic domain created there are a few things that can be done to make life a little easier:

  1. You can edit the config.xml (located at Oraclehome\user_projects\domains\IDMDomain\config) file to point to the correct host name by changing all instances from ip-xxxxxxxx.ec2.internal to the hostname.cloud.<organization>.net to insure the admin console starts correctly.
  2. For those who use the Fusion Enterprise Console, it may have trouble starting due to a class path issue, however to correct the error open the setdomainenv.cmd and search for the following line

set POST_CLASSPATH=(Oracle_home)\wlserver_10.3\server\lib\weblogic.jar:;%POST_CLASSPATH%

Just after that line, add the following

set POST_CLASSPATH=(Oracle_home)\Oracle_IDM1\oui\jlib\lib\http_client.jar:;%POST_CLASSPATH%

3.  Save and Close the file

4.  Restart WebLogic for it to take effect.

Last but not least:

  1. Add the  host name ” ip-xxxxxxxxxxx.internal” from when the applications were configured to your Hosts file located at c:\windows\system32\drivers\etc pointing to 127.0.0.1 (the IP loop-back address in Windows).   This should help solve everything else not already solved.  This way, whenever you boot, any app that asks for the old name will be able to route to the server directly.  This might not be the cleanest solution but it’ll work.
  2. In fact, make sure all listening addresses in WebLogic are set to blank and the nodemanager set to localhost (if you set it to blank, it automatically sets to localhost) and launch your managed weblogic sessions with the loopback address ( to be sure it launches successfully).

The combination of these tricks should resolve most, if not all, issues in getting IDM environments up and running in the cloud.

PS: In order to start your environment:

To start WebLogic: oracle_home\user_projects\domains\IDMDomain\starweblogic.cmd

To start your Application: oracle_home\user_projects\domains\IDMDomain\bin\startmanagedweblogic Appservername http://serverhostname:7001

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , , , , ,
Posted in Best Practices, Cloud Computing, Identity Management, Oracle Access Manager, Oracle Identity Manager, Tips & Tricks, WebLogic | 3 Comments »

Zen and the the Art of Identity Management

Monday, November 15th, 2010

Interestingly enough I have been asked many times as to what exactly IDMWorks is and what it is that we do (and I don’t just mean the wife and kids).  As such it seems time to do the quasi-annual blog sales pitch.  I think most of our readers have an idea what we do and have perused the site to better inform themselves but there are some that don’t tread any farther than this here blog.  So in keeping with the simplicity of blogvertising I present you IDMWorks.

Subject:  Enterprise Identity & Access Management and Governance, Risk & Compliance

You may be aware of many of the issues organizations are facing today around the various challenges and aspects of Identity Management and Information Security.

At IDMWORKS we understand the problems that many of you are facing and are positioned to help.  IDMWORKS is a vendor agnostic, Identity Management, Access Management, and Governance, Risk and Compliance Management Consultancy. We have consultants and engineers across the United States and North America that specialize helping clients with most aspects of Identity, Access Management, and GRC issues, including the following:

  • Identity and Access Management technology evaluations and POCs
  • Identity Management strategy creation, Integration and Deployment
  • Identity Management / IT Security Technologies Assessment, Evaluation,  and Planning
  • Identity Management / IT Security Education
  • Pre & Post Identity Management project Support Services
  • Identity Federation
  • PCI Compliance
  • Governance, Risk and Compliance Management , Provisioning
  • Single Sign-on and Web Access management
  • Data Loss Prevention

IDMWORKS has been built upon the skills and experience of dedicated IDM professionals and specialist with a customer base that includes Government, Healthcare, Education, Financial Services, Energy, Manufacturing and Retail clients.

IDMWORKS has experience with the integration and implementation of the market  leading Identity & Access Management, and GRC solutions and technologies – CA, Oracle/Sun, Novell,  IBM,  Aveksa, Citrix, Passlogix,  and Sailpoint, to name a few – and would welcome the opportunity to discuss your IT Security needs to determine how we can help.

We would like to offer you the opportunity to take advantage of an initial Identity Management, and Compliance Assessment. The results of the assessment will include recommendations on potential solutions to address your current Identity management and GRC related issues.

For further information or to arrange an initial consultation, contact IDMWorks to discuss how we can help with a solution to address your needs.

Tags: , , , , , , , , , , ,
Posted in Access Management, Aveksa, Best Practices, CA, CA Identity Manager, CA SiteMinder, Citrix, Citrix Password Manager, Citrix XenApp, Cloud Computing, Enterprise Single Sign On (ESSO), Governance, GRC, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Role Manager, Password Management, PCI Compliance, RBAC, Risk & Compliance, Roadmap, Role Management, SailPoint, Security & Risk, Single Sign On (SSO), SOA, SRM, Sun Identity & Access Management, Sun Identity Manager | No Comments »

So now what? What to do with your Sun IAM stack (hint: start looking)

Friday, November 12th, 2010

Legacy Sun Java System Identity and Access Management (IAM) customers have been calling us up often to ask about the state of the industry and their options with the Sun IAM stack moving forward.   The choices are many right now but one fact remains, Sun IDM and Open SSO’s days are numbered.  The products will be around for a while, years in fact, but eventually like that Saturn dealership on the corner, it will go away. Thus the grand migration is underway.  As an IAM enabled company the question of where to migrate to is paramount.  So let’s talk options.

Option 1) Stick with Sun As-Is

The old wait and see approach, but let’s be honest, the clock is ticking.  Like a legacy application your IT staff built in their garage it won’t keep up with the rest of market and the future of IDM.  There will never be a grand Cloud version of Sun IDM.  What is most interesting is that there are options to move away from Sun that pretty much expire by years end.

So let’s move away from Option 1 for now and take a look at the future.

Option 2) “Migrate” to Oracle IAM (as part of Oracle Fusion Middleware)

I say migrate because with any non-Sun tool (and Oracle IAM is a much different beast) there is NO upgrade path. Oracle is attempting to woo existing Sun implementations into the fold by offering license swaps in the short term. For those looking to definitively move into Oracle IAM then this is the best bet and should be done ASAP as the swap cycle is time limited.

Option 3) Migrate to Novell IAM

Similar to Oracle, Novell is offering a swap out of the Sun software and licenses.  This is a very interesting proposition.  Novell is willing to give the product up for free in order to build the relationship.  Basically from what the Novell Website states:

  • The Sun Identity Manager swap gives you Novell Identity Manager, roles based provisioning module and enterprise integration module.
  • The Sun Role Manager swap gives you Novell Access Governance Suite.
  • The Sun Open SSO swap gives you Novell Access Manager.
  • The Sun Directory Server EE swap gives you Novell eDirectory.
  • Sun subscription customers can opt in for equivalent Novell product subscriptions and will be considered for additional incentives on a case-by-case basis.

I think this is brilliant tactic that I am surprised a few other vendors haven’t tried.  To be straight, Novell has a great directory and SSO offering and is making huge strides in the Provisioning and Federation space.  At a minimum for a no-cost look I might suggest talking to a Novell rep.  But alas, much like Oracle, Novell’s offer is time-boxed.  Come Dec.31, 2010 a statement of interest (not a purchase mind you, this simply locks in Novell’s committment in 2011 for the swap) must be signed or that coach turns back into a pumpkin.

Option 4)  Migrate to CA IAM, IBM IAM, Microsoft IAM, etc. (there are many to chose from)

Choices, choices, choices.  I can say that CA is making a major push in the IAM space and IBM seems to be lagging a bit but has been a big player in the past.  Microsoft is also making strides to broaden their footprint in the IAM space.  And there are plenty more vendors to look at. My guess is there are deals to be had even if there is no published “sale” going on.

I wouldn’t keep any pre-conceived notions about any of the vendors right now and thanks to the Oracle-Sun purchase the alternative vendors are pumping time and money into getting your business.  We at IDMWorks are happy to work with you on any and all of the products in the market.  We can help to dissect and divide the various offerings and help you to understand the best choice that fits into your environment.

The point is NOW is the time to take the Pepsi challenge.  If you have a SUN IAM implementation you should be taking a look at the various vendors (including those not listed in Option 4) and line up a chat (or webcast, lunch-and-learn, email or phone call) with your local vendor representative because by 2011 a potential low cost update may go away.

Feel free to shoot us a note if you have questions.

Tags: , , , , , , , , , ,
Posted in Access Management, CA, CA Identity Manager, Identity Management, Identity Provisioning, Novell, Novell Access Manager, Novell Identity Manager, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Sun Identity & Access Management | 5 Comments »

Tricks of the Trade: Oracle Access Manager Performance Tuning

Thursday, October 28th, 2010

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Typically with COTS applications the vendor will provide instructions as to what software components are configurable to meet a customer’s business needs.  But is it enough to simply understand what components are allowed to be customized?

Depending on the nature of the business the customization can play a significant role in how an application performs and what software components need be tuned.

Some examples of the questions you need to ask yourself and your organization include:

What type of organization are we running the application in?

Is this a banking site where most of the daily activities are dawdling with the exception of pay day when everyone and their significant other wants to see their salaries deposited, thus slowing down down the systems to a crawl?

Is this a high-traffic auction or retail site where customer registrations constantly hammer repositories while  inventories get updated thousands times per minute and the company must account for triple traffic around Chrismahanukwanzakah?

Is this a research site where databases get pounded with complex queries by the Revenge of the Nerds crew?

We at IDMWorks have run into these situations a multitude of times while working with customers.   Many times we see applications get tuned incorrectly or the application is tuned to the correct specifications but the hardware isn’t sufficient enough to handle the required settings (like putting a Smart Car engine in a Mustang).

So for today I would like to promote tuning guidelines for an Identity System, specifically Oracle Access Manager (OAM), and explain how to better tune your application and/or help make better decisions during the design and architecture phase of your project.

Tuning Identity System Searches

For OAM and really any Access Management application, the types of searches that user’s conduct in the directory can significantly affect performance.

For example, Customer Service Representatives in a high traffic call center should not perform a search for a customer with the last name “Smith” while instead searching for the last name “Smith” compounded with the first name to insure a narrowing of the search.  Of course this is common sense and we all know how our user’s practice common sen….um, forget that last line.

So lets force the CSRs to come to our train of thinking.

These steps below will help you to optimize Identity System Searches in the directory:

Restricting the operator use in search

When users conduct a search in an Identity System application, the search bar presents a drop-down list with options for matching the search input with a set of results. These options include the following:

  • That contains
  • Contains in order
  • Equals
  • Less than
  • Greater than
  • Begins with
  • Ends with
  • Sounds like

The “greater than” and “less than” operations can result in many entries being searched and retrieved. By eliminating these choices, you can improve the performance of search operations. You configure and adjust the search operations in a set of parameter files.

To eliminate the “greater than” and “less than” search operations

1.   To modify the search bar open each of the following files in a text editor (here Install_dir is the directory where Oracle Access Manager is installed):

Install_dir\identity\oblix\apps\userservcenter\bin\userservcenterparams.xml
Install_dir\identity\oblix\apps\groupservcenter\bin\groupservcenterparams.xml
Install_dir\identity\oblix\apps\objservcenter\bin\objservcenterparams.xml
Install_dir\identity\oblix\apps\selector\bin\selectorparams.xml

2.  Find the entry for the ObEnhanceSearchList parameter in each of these files. and edit the entry in each of the files so that it only contains the following parameters:

<ValNameList ListName=”ObEnhanceSearchList” > 

<NameValPair ParamName=”OOS” Value=”MOOS”/>

<NameValPair ParamName=”OSM” Value=”MOSM”/>

<NameValPair ParamName=”OEM” Value=”MOEM”/>

<NameValPair ParamName=”OBW” Value=”MOBW”/>

<NameValPair ParamName=”OEW” Value=”MOEW”/>

</ValNameList>

4. Modify the query builder by opening the following file in a text editor:

Install_dir\identity\oblix\apps\querybuilder\bin\querybuilderparams.xml

5. Then edit the element ObQBOperatorsList to have only the following values:

<ValList ListName=”ObQBOperatorsList” > 

<ValListMember Value=”CND_CON”/>

<ValListMember Value=”CND_DNC”/>

<ValListMember Value=”CND_EQ”/>

<ValListMember Value=”CND_NEQ”/>

<ValListMember Value=”CND_PRE”/>

<ValListMember Value=”CND_NPR”/>

<ValListMember Value=”CND_BW”/>

<ValListMember Value=”CND_EW”/>

</ValList>

Require the user to enter a minimum number of characters in a search field

1.       To specify the minimum number of characters users must enter in the primary search bar open the following file in a text editor (where Install_dir is the directory where Oracle Access Manager is installed):

Install_dir\identity\oblix\apps\common\bin\oblixappparams.xml

2.       Set the value of the searchStringMinimumLength parameter to the minimum length of the string that users can input (as illustrated in the following example):

<NameValPair ParamName=”SearchStringMinimumLength” Value=”3″/>

Restricting the Number of Entries Returned on a Search

You can set a limit on the number of elements that can be returned as the result of a search in an OAM.  This limits the effect that a search can have on performance.  You can configure the maximum number of search results that are returned from the directory server on the Size Limit parameter for the directory server instance profile.

For example, if you set the value of this parameter to 1,000, a maximum of 1,000 entries can be returned in the search results. The default value of 0 indicates that an unlimited number of results can be returned.

You can specify different size limits for different directory server profiles. For example, you can configure a size limit of 0 (unlimited) for the directory server instances that your valued Identity System Administrators use and you can configure a limit of 1,000 for the directory server profiles that are used by those lowly demented end users such as Customer Service Reps (wait, did I just write that?) .

To restrict the number of entries returned on a search

1.       From the Identity System Console select System Configuration.

2.       On the System Configuration page select Directory Profiles.

3.       Select the link for the directory server profile to which you want to add a database instance (the Modify Directory Server Profile page will appear).

4.       Scroll down to Database Instances and select the database instance you wish to configure (the Modify Database Instance page appears).

5.       Configure the Size Limit parameter to indicate the maximum number of search results that can be returned from the directory server.

Create Thread-Safe Plug-Ins

Both the Access Server and Identity Server are multithreaded. Thus when writing  custom code  ensure that all Identity Event plug-ins are thread-safe. This recommendation also applies to Identity Event plug-ins.

Consider Pooling Identity Servers

It is a good practice to use at least two Identity Servers running in a pooled primary configuration. Pooled primary means using multiple Identity Servers that run as primary servers with one or more WebPass instances connecting to the primary Identity Servers.

You can use separate Identity Servers as secondary servers when using the  pooled primary approach. If you have only two servers, a pooled primary configuration is recommended over using one primary and one secondary server. When running a pooled primary configuration it is best to use identical but separate hardware for the Identity Servers.

Advantages of pooled primary mode

  • Increased performance through load balancing
  • Increased availability through multiple servers
  • Automatic failover

Disadvantages of pooled primary mode

  • The cost of additional hardware.
  • Additional system configuration (if there are no secondary servers each primary server needs to be sized to handle the total expected load if the other primary servers are unavailable).

Configure Identity Servers from a File System Level

Identity Server configuration and stylesheet files must be identical on all servers. This applies to all configurations that use multiple Identity Servers. You should configure all Identity Servers from a file system level, that is, ensure that all directory and file system structures are identical.

Configure Identity Servers to Use 3 GB of Virtual Memory

On Windows, if the Identity Server causes high memory utilization, the system can crash. You can configure an Identity Server to use 3 GB of virtual address space even if 2 GB addressing is already enabled in the boot.ini file.

By default the virtual address space of Identity Server is limited to 2 GB. You can configure a 3GB switch in the Boot.ini file to allocate 3 GB of virtual address space to an Identity Server that uses IMAGE_FILE_LARGE_ADDRESS_AWARE in the process header. This switch allows applications to address an additional 1 GB of virtual address space beyond the usual 2 GB limit.

The following example shows how to add the 3GB parameter in the Boot.ini file to enable Identity Server memory tuning:

[boot loader] 

timeout=30

default=multi(0)disk(0)rdisk(0)partition(2)\WINNT

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINNT=”????” /3GB

Well class, that is all for today, I hope this helps you with your deployment of Oracle Access Manager.

Look for additional discussions on tuning Workflows, Access Server and the Directory in the near future.

Tags: , , , , ,
Posted in Access Management, Best Practices, Oracle Access Manager, Tips & Tricks | No Comments »

Elvis has left the building (what to do when a new version of the software is released).

Wednesday, August 25th, 2010

RE: Oracle Fusion Middleware 10g vs. 11g stack selection (OID, OVD, OIM, OAM specifically).

Here at IDMWorks we specialize in Identity and Access Management full life-cycle services.

Discovery √ Design √ Implementation √ Development √ Support √

During a recent trip to a customer site for an installation of the Oracle Fusion Middleware stack we ran into an interesting conundrum. We were to install the 10g release of OVD, OID, OAM and OIM into the development environment. The customer pointed out that 11g had been released approximately 3 weeks prior and asked for a recommendation of whether we should jump to the 11g implementation path or continue down the 10g path.

First, let me say, the customer was right on point with the question. We like a customer who is knowledgeable and will challenge the decisions and recommendations that we make as a team because that is the same customer who will “take care” of their system long after Elvis (or in this case IDMWorks) has left the building.

Conventional wisdom states that you never jump to the next release of a product in the first month. You wait for stabilization (and typically the first service pack). However in this case we must keep in mind that the products, at least the directory components, are pretty mature. So we can add another option of a mixed upgrade, perhaps 11g OID and OVD, with the 10g release of OAM and OIM. Additionally, with a new release, and this speaks to stabilization, you don’t have the luxury of all the little “gotchas” that have been addressed with implementations of the past. In our case, when we had a Linux Service Pack Library dependency issue, we had Google to rely on to find the fix in less than 5 minutes. No call to Oracle Support, no waiting for recreation and resolution, no explanation to the customer on why we must halt progress while we investigate the issue.

So we created a game plan as follows:

1) Stick with what works!
The known 10g release, while the “older” release, provides a level of maturity and issue resolution that will allow our project to remain on budget and time. This is HUGE. The unknowns that a fresh release present, if the customer has time and budgetary constraints (don’t they all?), means that time spent resolving the “basics” is time lost (and hence money).

2) Plan, Plan, Plan for the future!
In order to address the 11g want of the customer, the resolution we opted for, was to develop an upgrade path and plan to 11g including the steps, the timeline, the associated cost and the follow up procedures that will allow, in a cost and time effective manner, the ability to smoothly transition into the next release in a matter of months instead of years.

3) Work with the customer
This should go without saying but don’t let personal agendas drive the project to failure. The customer wants (and rightfully so) the latest and greatest they can have. If that means the latest technology, than so be it. In our case we have three options, Old, New, and Newish (a little old and new mixed together). However, because we are the implementation partner ours is not to decide but to recommend. As such we explained all available options, gave our recommended approach and let the customer know that if they choose to move forward with another option (the non-recommended one) we would support them 100% and move forward in that direction.

In the end the customer stuck with the recommendation approach and we are well on our way to a successful implementation with a path to the future product laid over the existing framework!

Tags: , , , , , , , , , ,
Posted in Access Management, Best Practices, Identity Management, Oracle Access Manager, Oracle Fusion Middleware, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory | No Comments »

The Problem with Old Cache

Tuesday, May 25th, 2010

This was the question our development team had to answer to resolve a fairly significant problem we had discovered with Oracle’s Access Manager.

Picture this.  You are a bank customer with an online account who logged on to the site and is prompted to change your password.

You perform a successful password change, but need to walk away from your computer for a few minutes, so you log off.  You come back within 10 minutes and decide to resume your online activities.  Upon providing your user id and new password, you receive an error message that your credentials are invalid.  You just changed it a minute ago; you clearly recall the new password value.  This must be a mistake, you think, let’s try again.  And again, the same error…, “We are sorry, your information is incorrect, please call our customer service department and wait approximately 45 minutes so we can help you”.

So, while waiting to speak with the customer service, ready to provide all kinds of security questions, including blood and tissue samples, you decide to try again.

You enter your user id and your new password and BINGO!!! You are logged on successfully.  Pretending you didn’t just waste 45 minutes of your life, you resume your online session activities.

What happened?  A few minutes ago it didn’t work, and now it does.

Our team was puzzled.  It passed System Integration and Capacity Testing and no one noticed this?  Here we are in Production and with 30 logons per second and average 15K concurrent sessions; calls were flooding our call centers.

THE PROBLEM

Access Manager’s default cache flush is set to 15 minutes causing a delay in the refresh with new values from the Directory. The web page performed an IDXML call, which initiated the change request and subsequently updated the user’s password in the Directory.  However, the Access Manager’s cache still contained the original password.  When logging back online the Access Manager’s authorization would fail the logon request because of the stale OAM cache.

The way to determine if this was in fact a cache issue is to manually flush the user’s cache using the Access System Console.  Once flushed, if the user can now login successfully, then the issue was more than likely the stale cache.

THE FIX

Assuming this is a cache issue one method to correct this is to reduce the cache size in the Web Gates from 100,000 to 100.  This approach forces increased updates to the directory Directory, however in a high-traffic site environment, going to the directory for information can significantly degrade server performance.

The better solution is to modify the doAccessServerFlush configuration from “FALSE” to “TRUE”.  This signals that the AccessGate client has been configured on the OIS server and it can now begin to send user flush requests to the Access System, using the Access Manager API.

To do this, navigate to the Identity_server_installation_directory/oblix/data/common directory and update the file named: basedbparams.xml

Below is an example of the file:

<?xml version="1.0"?>
<ParamsCtlg xmlns="http://www.oblix.com" CtlgName="basedbparams">
<CompoundList ListName="">
<SimpleList >
<NameValPair   ParamName="default_policy" Value="false"/>
<NameValPair   ParamName="doAccessServerFlush" Value="true"/>
<NameValPair   ParamName="enableAllowAccessCache" Value="true"/>
<NameValPair   ParamName="SelfRegGeneratesSSOCookie" Value="false"/>
<NameValPair   ParamName="SR_SSOCookieMethod" Value="GET"/>
<NameValPair   ParamName="SR_SSOCookieURL" Value="/identity/oblix"/>
<NameValPair   ParamName="SR_SSOCookiePath" Value="/"/>
<NameValPair   ParamName="criticalReadForPostModify" Value="false"/>
</SimpleList>
</CompoundList>
</ParamsCtlg>

Tags: , ,
Posted in Oracle Access Manager | No Comments »